Using Exchange logs, how to alert when someone emails more than 50 recipients within 1 hour?


I'm trying to make an alert for when someone emails more then 50 people within a one hour time span. The issue is that I have multiple values in the recipients field per event. I am dealing with Exchange logs and I would like to just do something like where count > 50. Any one run into this issue before?

sender recipients

User1 bla1;bla2;blah3;blah4
User1 blah4;blah9
user2 user1;blah5
user1 blah1

0 Karma

New Member

Reading your question I am kinda thinking you are more refering to emails that have multiple recipients or say they go to distro groups which to split out the recipients you would use mvexpand recipient. Using that breaks each recipient out so it is its own event. So instead of seeing the one email with 50 recipients as one item it will be the 50 items your threash hold is looking for. I am using a query like this to do manual lookups for now going to build it into a coorelated search to so it will fire a notable event. To make it a higher fidelity rule you will want add some exclusions say your company has some sort of blast broadcast email address you would include something like src_user!=blast address or if you know you have multiple you may want to include a lookup table for your exclusions.

email query|mvexpand recipient|stats count(recipient) as recipients by Sender, Subject | where recipients > 10

0 Karma


Try this:

... | makemv delim=";" recipients | bin span=1h _time | stats dc(recipients) as dc by _time sender | where dc > 50
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...